1. Field of the Invention
The present invention relates to software and execution environments incorporated in a portable digital device, and in particular relates to a method for making secure the execution of an application compiled in intermediate language against fault attacks, during the execution thereof on a portable digital device equipped with a virtual executing machine.
2. Description of the Related Art
A portable device will hereinbelow mean any portable digital device such as a portable computer but also any device equipped with a microcontroller which combines a processor and memories, such as a chip card.
The desire to create interoperable applications has led to the development of intermediate programming languages. The main aim of these languages is therefore to make their software independent of the hardware on which they have to be executed. The software items are then designed to be executed in the form of an intermediate code which is independent of the underlying architecture.
The programmers are thus generally released from the constraints associated with specific hardware. Intermediate languages such as Java bytecode, obtained after compilation from the Java source language, have thus expanded greatly as a result. Mention may also be made of the intermediate language MSIL (“Microsoft intermediate language”) which is used in the context of the .Net or DotNet (registered trademark) environment, obtained after compilation from various possible source languages such as C++ or C#.
The intermediate code therefore conventionally corresponds to a compiled form of the software. This software, compiled in Java, or in other intermediate languages, such as .Net, cannot be executed as such by the processor of the device on which it is desired to execute a program compiled in the form of intermediate code. It is necessary to introduce a software layer which has the main aim of interpreting the intermediate code into instructions which can be executed by the processor of the host device. This software layer is referred to as a “virtual machine”. For example, the JAVA virtual machine makes it possible to execute a Java software item on a given platform on which it is implemented.
A Java software item is conventionally distributed in the form of a set of modules consisting of .class files, corresponding to a compiled form of the software. Each compiled file corresponds to a data structure of the class type and as such comprises the information relating to this class, namely the description of the elements of the class (its constants, its fields, its methods), the description of the elements used by the class and defined in other classes (fields and methods), the code of the methods of the class in the form of instructions (bytecode) which can be interpreted by the interpreter of the Java virtual machine.
In a simplified manner, a .class file has for example the following structure:
  ClassFile {  Field_list;    //Description of the fields ofthe class  Method_list;     //Methods  of  this  class(including  their  bytecode,  that  is  to  say  theirinstructions  which  can  be  interpreted  by  theinterpreter of the virtual machine)  }
Thus, by way of example, in the context of an electronic purse Java application, it is possible to define a class named “Purse” with its field “balance” and its method “decrementBalance( )”. The .class file could have the following structure:
Public class Purse {private int balance = 0;public void decrementBalance( ){  this.balance = this.balance − 1;  }}
Thus, according to this example, the execution of the method of the class “Purse” consists in subtracting the value 1 from the current instance of the balance field.
The execution of the corresponding Java software is carried out by the Java virtual machine installed on the portable device.
This virtual machine converts the information of the ClassFile into data structures in the working memory which are specific to the virtual machine and which allow this virtual machine to interpret and execute the software.
To do this, the virtual machine has a specific set of instructions, each instruction being coded on one or more octets. The set of instructions of the virtual machine comprises for example a certain number of conventional instructions such as arithmetic operations, logical operations and jumps. The virtual machine typically has an execution stack which uses local variables numbered from zero, but may also use registers.
At present, the execution of an application by the virtual machine is not entirely secure, in particular with regard to attacks in general and especially fault attacks. For instance, the sensitive value in the above example, represented by the “balance” field, may be modified following the injection of a fault during the manipulation of this value for the interpretation of the method of updating this field by the virtual machine, leading to the setting of a final value in the stack for the balance field which is different from that normally expected, for example the balance field may be forced to its maximum value.
One known manner of protecting applications in intermediate code against fault attacks during their execution by the virtual machine on the card consists in adding a redundant checksum code within the actual code of the application that is to be executed.
For example, in order to protect the aforementioned code, it is possible to use in Java, as a checksum data item, the complemented value of the balance field, denoted ˜balance, which returns the ones complement of the binary balance value, and to update this checksum data item value in parallel with the updating of the balance value during the execution of the method by the virtual machine. A comparison of the result of the two update calculations carried out in parallel, on the one hand for the balance field and on the other hand for the complemented ˜balance field, then makes it possible to verify the integrity of the data items that have been used to carry out the calculations. The Java code modified as a consequence then has the following structure:
  public class Purse {  private int balance = 0;  private  int  balChecsum  =  ~balance;   //  =OxFFFFFFFF  public void decrementBalance( ){    this.balance = this balance − 1;    this.balChecsum = this.balChecsum + 1;    }  }
The disadvantage or such a method for mating secure the execution of Java code is that it consumes a great deal of resources and calculation time, which is penalising in restricted environments such as chip cards.
Furthermore, the developers of Java applications (or applications in another intermediate language) then have to develop the code of their application while taking account of this constraint in order to protect the sensitive parts of the code.